W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2012

#342 WWW-Authenticate ABNF slightly ambiguous

From: Julian Reschke <julian.reschke@gmx.de>
Date: Tue, 07 Feb 2012 15:47:46 +0100
Message-ID: <4F313992.5080702@gmx.de>
To: HTTP Working Group <ietf-http-wg@w3.org>
Hi there,

sometime ago, when writing the tests at 
<http://greenbytes.de/tech/tc/httpauth/>, I noticed that the grammar for 
WWW-Authenticate (and Proxy-Authenticate) is ambiguous:

Example:

  Basic realm="foo", , Otherscheme realm="bar"

This can be parsed as either three challenges:

1: Basic realm="foo"
2:
3: Otherscheme realm="bar"

or as two challenges:

1: Basic realm="foo",
2: Otherscheme realm="bar"

...where the first challenge has a list of auth-params where the first 
one is the realm, and the second one is empty.

(see <http://trac.tools.ietf.org/wg/httpbis/trac/ticket/342>).

Proposal: just note this so implementers aren't more surprised than needed.

Proposed patch: 
<http://trac.tools.ietf.org/wg/httpbis/trac/attachment/ticket/342/342.diff>

This changes the text for *Authenticate to:

4.2.  Proxy-Authenticate

    The "Proxy-Authenticate" header field consists of a challenge that
    indicates the authentication scheme and parameters applicable to the
    proxy for this effective request URI (Section 4.3 of [Part1]).  It
    MUST be included as part of a 407 (Proxy Authentication Required)
    response.

      Proxy-Authenticate = 1#challenge

    Unlike WWW-Authenticate, the Proxy-Authenticate header field applies
    only to the current connection and SHOULD NOT be passed on to
    downstream clients.  However, an intermediate proxy might need to
    obtain its own credentials by requesting them from the downstream
    client, which in some circumstances will appear as if the proxy is
    forwarding the Proxy-Authenticate header field.

    Note that the parsing considerations for WWW-Authenticate apply to
    this header field as well; see Section 4.4 for details.


and


4.4.  WWW-Authenticate

    The "WWW-Authenticate" header field consists of at least one
    challenge that indicates the authentication scheme(s) and parameters
    applicable to the effective request URI (Section 4.3 of [Part1]).

    It MUST be included in 401 (Unauthorized) response messages and MAY
    be included in other response messages to indicate that supplying
    credentials (or different credentials) might affect the response.

      WWW-Authenticate = 1#challenge

    User agents are advised to take special care in parsing the WWW-
    Authenticate field value as it might contain more than one challenge,
    or if more than one WWW-Authenticate header field is provided, the
    contents of a challenge itself can contain a comma-separated list of
    authentication parameters.

    For instance:

      WWW-Authenticate: Newauth realm="apps", type=1,
                        title="Login to \"apps\"", Basic realm="simple"

    This header field contains two challenges; one for the "Newauth"
    scheme with a realm value of "apps", and two additional parameters
    "type" and "title", and another one for the "Basic" scheme with a
    realm value of "simple".

       Note: the challenge grammar production uses the list syntax as
       well.  Therefore, a sequence of comma, whitespace, and comma can
       be considered both as applying to the preceding challenge, or to
       be an empty entry in the list of challenges.  In practice, this
       ambiguity does not affect the semantics of the header field value
       and thus is harmless.


Feedback appreciated, Julian
Received on Tuesday, 7 February 2012 14:51:07 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:55 GMT